Just to clarify, authentication to my mind means providing username/password credentials. There's nothing in the connector aside from maybe the clientAuth="false" attribute that controls this. Setting that true would mean the client browser is required to send an authentication certificate during the initial handshake. Do you mean accessing without encryption or server certificate? If so, are there any other connectors configured? Can you offer any more specific information regarding what the support team found?
--David sunil chandran wrote: > Hello sir, > > I am sorry. I am using tomcat 4 > > <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> > <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" > port="8443" minProcessors="5" maxProcessors="150" > enableLookups="true" > acceptCount="100" debug="0" scheme="https" secure="true" > useURIValidationHack="false" disableUploadTimeout="true"> > <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" > keystoreFile=".keystore" keystorePass="mypass" > clientAuth="false" protocol="TLS" /> > </Connector> > > this is the portion of server.xml. I have anabled ssl. > > still there is some vulnerabilities as informed by supprot team. They say > that tomcat is configured to access without authentication. > > 1. is it true? > 2. How can we confirm if the tomcat SSL is configure using any algorithm to > authenticate or “none”. > > please help me. > > regards > Sunil C > > > > > --- On Tue, 4/8/09, Mark Thomas <ma...@apache.org> wrote: > > > From: Mark Thomas <ma...@apache.org> > Subject: Re: avoiding ssl vulnerabilities in tomcat > To: "Tomcat Users List" <users@tomcat.apache.org> > Date: Tuesday, 4 August, 2009, 2:42 PM > > > sunil chandran wrote: > >> there are some vulnerability existing on my server: >> >> SSL Server Allows Cleartext Communication Vulnerability >> > > <snip/> > > >> Can someone help me identify the place in server.xml file to avoid these >> vulnerabilties. >> > > You didn't say which Tomcat version so I am going to assume 6.0.20. > Neither did you say which connector you are using. I am going to assume > the default Java blocking IO connector. > > The info you require is in the docs. Take a look at the SSL section of > this page: > http://tomcat.apache.org/tomcat-6.0-doc/config/http.html > > Mark > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > Yahoo! recommends that you upgrade to the new and safer Internet > Explorer 8. http://downloads.yahoo.com/in/internetexplorer/ > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
